From 79c8c852b3a5adba11401a764a23db90236d684d Mon Sep 17 00:00:00 2001
From: fbsanchez <fborja.sanchez@artica.es>
Date: Fri, 11 Dec 2020 11:26:45 +0100
Subject: [PATCH 1/2] Force try remote before falling back to local if admin
 user

---
 pandora_console/include/auth/mysql.php | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/pandora_console/include/auth/mysql.php b/pandora_console/include/auth/mysql.php
index 638282d381..6b0cd9594d 100644
--- a/pandora_console/include/auth/mysql.php
+++ b/pandora_console/include/auth/mysql.php
@@ -80,16 +80,20 @@ function process_user_login($login, $pass, $api=false)
 {
     global $config, $mysql_cache;
 
-    // Always authenticate admins against the local database
-    if (strtolower($config['auth']) == 'mysql' || is_user_admin($login)) {
+    // 1. Try remote.
+    $login_remote = process_user_login_remote(
+        $login,
+        io_safe_output($pass),
+        $api
+    );
+
+    // 2. Try local.
+    if ($login_remote == false
+        && ($config['fallback_local_auth'] || is_user_admin($login))
+    ) {
         return process_user_login_local($login, $pass, $api);
     } else {
-        $login_remote = process_user_login_remote($login, io_safe_output($pass), $api);
-        if ($login_remote == false && $config['fallback_local_auth']) {
-            return process_user_login_local($login, $pass, $api);
-        } else {
-            return $login_remote;
-        }
+        return $login_remote;
     }
 
     return false;

From 4d2b890712eec1f50c1dfafeba2c2cda2dd95fb7 Mon Sep 17 00:00:00 2001
From: fbsanchez <fborja.sanchez@artica.es>
Date: Fri, 11 Dec 2020 11:31:18 +0100
Subject: [PATCH 2/2] minor fixes

---
 pandora_console/include/auth/mysql.php | 30 +++++++++++++++-----------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/pandora_console/include/auth/mysql.php b/pandora_console/include/auth/mysql.php
index 6b0cd9594d..ebc50a06a8 100644
--- a/pandora_console/include/auth/mysql.php
+++ b/pandora_console/include/auth/mysql.php
@@ -68,27 +68,33 @@ $config['admin_can_make_admin'] = true;
 
 
 /**
- * process_user_login accepts $login and $pass and handles it according to current authentication scheme
+ * Process_user_login accepts $login and $pass and handles it according to
+ * current authentication scheme.
  *
- * @param string  $login
- * @param string  $pass
- * @param boolean $api
+ * @param string  $login Login.
+ * @param string  $pass  Pass.
+ * @param boolean $api   Api.
  *
- * @return mixed False in case of error or invalid credentials, the username in case it's correct.
+ * @return mixed False in case of error or invalid credentials, the username in
+ * case it's correct.
  */
 function process_user_login($login, $pass, $api=false)
 {
-    global $config, $mysql_cache;
+    global $config;
 
     // 1. Try remote.
-    $login_remote = process_user_login_remote(
-        $login,
-        io_safe_output($pass),
-        $api
-    );
+    if (strtolower($config['auth']) != 'mysql') {
+        $login_remote = process_user_login_remote(
+            $login,
+            io_safe_output($pass),
+            $api
+        );
+    } else {
+        $login_remote = false;
+    }
 
     // 2. Try local.
-    if ($login_remote == false
+    if ($login_remote === false
         && ($config['fallback_local_auth'] || is_user_admin($login))
     ) {
         return process_user_login_local($login, $pass, $api);